LynkSif
CVE-2026-24858 (Fortinet) – FortiCloud SSO Auth Bypass đang bị khai thác
IOC + Hunting Queries cho Wazuh / Splunk / Elastic. Ưu tiên săn chuỗi:
SSO login → config download → add local admin.
IOC nhanh (lọc nóng)
FortiCloud SSO Accounts
cloud-init@mail.iocloud-noc@mail.io
Source IPs
104.28.244.115104.28.212.114217.119.139.5037.1.209.19
Suspicious Local Admin
secadmin,itadmin,supportbackup,remoteadmin,audit
Tip SysAdmin: Nếu thấy login method
hành vi
sso + user IOC, hãy hunt tiếphành vi
download system config và cfgpath="system.admin" action="Add" trong 5 phút.
Hunting Queries (Tabs)
Splunk SPL
index=* (sourcetype=fortigate OR sourcetype=fortinet* OR source=*forti*)
(method="sso" OR ui="sso*")
(user="cloud-init@mail.io" OR user="cloud-noc@mail.io"
OR srcip="104.28.244.115" OR srcip="104.28.212.114" OR srcip="217.119.139.50" OR srcip="37.1.209.19")
| stats count min(_time) as first_seen max(_time) as last_seen values(user) values(srcip) values(ui) by host devname
| convert ctime(first_seen) ctime(last_seen)index=* (sourcetype=fortigate OR sourcetype=fortinet*)
(logid="0100032095" OR (action="download" AND like(msg,"%System config file%downloaded%")))
| stats count values(user) values(srcip) values(ui) values(msg) by host devnameindex=* (sourcetype=fortigate OR sourcetype=fortinet*)
(cfgpath="system.admin" AND (action="Add" OR action="Edit"))
| eval suspicious_new_admin=if(cfgobj IN ("secadmin","itadmin","support","backup","remoteadmin","audit"),"yes","no")
| stats count values(user) values(srcip) values(ui) values(cfgobj) values(msg) by host devname suspicious_new_admin
Elastic KQL
(event.module:fortinet OR event.dataset:*forti* OR tags:fortigate)
AND (fortinet.method:sso OR message:*"method=\"sso\""* OR message:*"ui=\"sso("*)
AND (
user.name:"cloud-init@mail.io" OR user.name:"cloud-noc@mail.io"
OR source.ip:"104.28.244.115" OR source.ip:"104.28.212.114" OR source.ip:"217.119.139.50" OR source.ip:"37.1.209.19"
OR message:*cloud-init@mail.io* OR message:*cloud-noc@mail.io*
)(event.module:fortinet OR event.dataset:*forti*)
AND (
fortinet.logid:"0100032095"
OR message:*"System config file has been downloaded"*
OR (event.action:download AND message:*config*)
)(event.module:fortinet OR event.dataset:*forti*)
AND (message:*cfgpath="system.admin"* OR fortinet.cfgpath:"system.admin")
AND (message:*action="Add"* OR event.action:Add OR message:*"Object attribute configured"*)
AND (message:*cfgobj="secadmin"* OR message:*cfgobj="itadmin"* OR message:*cfgobj="support"* OR message:*cfgobj="backup"* OR message:*cfgobj="remoteadmin"* OR message:*cfgobj="audit"*)
Wazuh (Rules + Hunt)
<group name="fortinet,cve_2026_24858,">
<rule id="110248580" level="12">
<decoded_as>syslog</decoded_as>
<match>logdesc="Admin login successful"</match>
<regex>method="sso".*user="(cloud-init@mail\.io|cloud-noc@mail\.io)"</regex>
<description>CVE-2026-24858: Suspicious FortiCloud SSO login by known malicious account</description>
</rule>
<rule id="110248581" level="13">
<decoded_as>syslog</decoded_as>
<regex>logid="0100032095".*action="download".*System config file has been downloaded</regex>
<description>CVE-2026-24858: System config download via GUI (possible exfil)</description>
</rule>
<rule id="110248582" level="14">
<decoded_as>syslog</decoded_as>
<regex>cfgpath="system\.admin".*action="Add".*cfgobj="(secadmin|itadmin|support|backup|remoteadmin|audit)"</regex>
<description>CVE-2026-24858: Suspicious local admin created after SSO activity</description>
</rule>
</group>data.program:(fg* OR forti*)
AND (
message:*cloud-init@mail.io* OR message:*cloud-noc@mail.io*
OR message:*"logid=\"0100032095\""*
OR (message:*cfgpath="system.admin"* AND message:*action="Add"*)
)
